Subject:
|
Re: Email Authentication - Why not make it optional?
|
Newsgroups:
|
lugnet.admin.nntp, lugnet.general
|
Date:
|
Wed, 20 Jun 2001 05:13:52 GMT
|
Viewed:
|
106 times
|
| |
| |
In lugnet.admin.nntp, Ross Crawford writes:
> In lugnet.admin.nntp, Lindsay Frederick Braun writes:
> > In lugnet.admin.nntp, Kyle D. Jackson writes:
> > > Because it still allows an unauthorized person to post to LUGNET.
> > > The point wasn't to protect people who didn't want to be cloned. It
> > > was to keep out people who weren't authorized to post. In our most
> > > famous case, we have a person who had been banned from LUGNET, but
> > > continued to post here, disrupting things, attacking other users,
> > > and making outright threats. If authentication were optional that
> > > person could continue to post.
> >
> > Right. And it's not isolated--ask any of the few people who
> > actually frequent the entire server, and they'll tell you.
> > Best not to wait for a full-blown hurricane before installing
> > seawalls.
>
> But a seawall's not gonna help you against an earthquake...
It was hurricane season so a seawall was what was needed. If and when there
is an earthquake likely that would be the time to do things to earthquake proof.
> > Anyways, I'm happy about the development. The circumstances
> > of its implementation are less than pleasant, but it's no big
> > hassle and a welcome sense of security. (And another reason to
> > register--log in and authentication isn't necessary!)
>
> ...if you use the web to post. Most of the people complaining use email or a
> newsreader to post, for which there's no way to "log on".
They should consider switching to the web mechanism or putting up with the
inconvenience, while Todd, who I feel is extremely clever, and who said he
was thinking about ways to help, comes up with mechanisms to ameliorate
their plight. Not that I think it's much of a plight, actually, but then I
use the web interface exclusively now, while I am logged in, so for me it is
zero impact except perhaps a slightly longer time to post (not that I have
actually seen it, I suspect it adds milliseconds at most).
And the current method seems quite hard to break. I don't want to kick off a
lot of speculation about how to defeat it but I'm pretty satisfied that it
would be very difficult to defeat unless the spoofer has access to the email
account of the person he is spoofing, or unless the spoofer has access to
the password of a member. (and you may recall now that I complained
vociferously that the password algorithm was rejecting all my easy passwords
and only allowing hard to crack ones. Guess what? I was wrong about that. I
am glad the password algorithm that filters out new passwords as insecure is
as picky as it is... )
To Brad's original "just ignore it" suggestion: We tried that. The consensus
was that it didn't work. Our spoofer was just too disruptive.
++Lar
|
|
Message has 3 Replies: | | Re: Email Authentication - Why not make it optional?
|
| Hello Larry, hello everybody, (...) Let me first thank you for being one of those guys who try to keep a fair eye on all sides - Tood's, who continues to volunteer and make LUGNET an ever better place to be. - The Web Interface users, who, indeed, (...) (23 years ago, 20-Jun-01, to lugnet.admin.nntp)
|
Message is in Reply To:
42 Messages in This Thread:
- Entire Thread on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
This Message and its Replies on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
|
|
|
|